The Role and Responsibility of the External Auditor towards the Cloud Computing (An Empirical Study)
Hxxx Hxxxxxx Mxxxxxx
1.Chapter one: General Framework
1.1 Introduction and Background
The cloud computing represents one of the challenges, which faces both accountants and auditors since some organizations have changed to adopt cloud computing. The cloud computing has been dramatically increased in the last few years. It also represents a new type of business economic patterns at the global level, in the information age, and advanced modern technology in this time where borders disappear and entr’acte geography, and changed the concept of the determinants of capital. With cloud computing has become imperative for the economic units that seek to strengthen its competitive position to adapt the electronic environment, by changing its accounting system radically or gradually and focusing on the so-called electronic accounting. After the emerge of new technologies in the business world as an extension of the electronic environment and development as one of the most important challenges in front of the new accounting and auditing. The modern revolution in Information Technology (IT) has become the backbone of cloud computing. With the development of E-Business (EB) activities, it becomes the perfect computer and communications networks to run, based on its strong dependence on computer systems, holds a huge threat to the control ineffective. Inappropriate use may result in disastrous consequences, and the existence of computer viruses and hackers, computer crimes, and so have led to the risk of cloud computing information distortion.
The traditional accounting information system is limited by many factors including the inadequate preparation of hardware facilities, lack of professional, high initial investment costs, complex maintenance process, which restricts the development process accounting information of some companies and greatly weakens the enterprise’s competitiveness. In recent years, cloud accounting has received high attention for its low-cost, high-efficiency mode of accounting information technology in the industry. Cloud accounting is virtualized accounting information system providing accounting services for the enterprise based on the Internet. Its conception can be explained from two aspects. For cloud accounting supplier, cloud accounting is an accounting information system by cloud computing technology, and suppliers need to provide hardware and software facilities and the construction of accounting information systems. For businesses, cloud accounting is based on the Internet, so if you want to use online accounting information system, you need to pay for it. Construction of cloud accounting is currently a hot issue in the industry and academic, and it has an absolute advantage in terms of cost, efficiency, reliability, etc. ( Zhang Cancan,2014).
Cloud operating model is currently a hot topic in the world of cloud accounting. Accounting cloud, which “Online Accounting,” They say like bookkeeping works users are installed on your computer, except that the soft cloud accounting software on the servers’ provider online services “, is applicable to any number of users and companies and organizations can use their web browser, on internet access it. This means that you as a user company or organization, each time an Internet connection are able to access their company’s finances from anywhere and any device you’re using. Accounting firms and organizations through cloud users online accounting software applications, “presented Software services “in the cloud have access, in fact, the use of accounting software in a similar model (Software As a Service) provider of online services to buy. They for software, hardware or network not pay, but computing power and software services needed to purchase (Webopedia. com, 2013). With this interpretation, if accounting professionals to conclude cloud computing, outsourcing in the old drink new bottles and many have gone astray. Cloud-like business process outsourcing, such as the purchase of one or more than one offer outsourcing service organization. A key difference in what the buyer is usually a process of outsourcing work is defined as the average salary in what is cloud computing infrastructure and services purchased fan some or all of the information that may be done not rely on it. Basically the information technology infrastructure in all areas of business including accounting firms under effects. It seems logical that here the necessity of using cloud computing in accounting too.
Small businesses are the biggest beneficiaries of online cloud accounting and there are numerous ways in which moving to the cloud can be of value. Working in the cloud will give you the opportunity to reduce the amount of time you spend on difficult working, time-consuming tasks, allowing you to concentrate on what you do best: growing your business. You can also be confident that you will have greater access to real-time data for your business ‘ no matter where you are ‘ as business information is accessible any time, any place, on any device that has internet access (much like internet banking).
Information, knowledge and increase the emergence of big data is undoubtedly key for growth and success for businesses (Srikumar, 2013). The emergence of cloud computing and its growing impact on business, in general, is gaining traction around the world. Mortar companies such as Google and Salesforce.com reflect the model of cloud computing through sharing web infrastructure in terms of data storage, scalability, and computation (Kambil, 2009). In many ways, the role complements the invaluable role of ICT that has been increasingly emerging with a growing impact since the early 1980s, which then took a major boost with the proliferation of the Internet and the World Wide Web a decade later. According to Abeer Gamal, who works for one of the leading business associations in Egypt dealing mainly with SMEs: ‘ICT is the driver of the organization and especially SMEs; it keeps us competitive compared to our peers.’ On a more macro scale and at the global front, according to Gartner research, the cloud computing global market reached 150 billion US dollars in 2013 (Gartner, 2013). Moreover, according to a Boston Consulting Group study (2013) ‘technology adopter firms have increased their annual revenues 15% faster than firms with lower levels of technology adoption.’ In other words, cloud computing is a model for enabling on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned with minimal management effort (NIST, 2011).
Larger companies adopt cloud computing and they understand the potential and know how to utilize it to its full effect.
However, Benefits for the company:
1. Real-time to the project team, management and the audit committee with respect to control design and implementation.
2. Allow management to respond more timely to project and control issues.
3. Feedback relative to the use of more effective and cost-efficient automated application controls.
4. Identify risks which could jeopardize project timeliness or objectives.
5. Provides feedback to management and the audit committee on other matters which may come to our attention.
Benefits for the Audit:
1. In-depth understanding of the impacts of internal control over financial reporting.
1. Early identification of potential audit and control related issues and reduces the chances of surprise.
2. Identification automated controls helping to improve control testing effectiveness and efficiency.
3. Information about the integrity of underlying financial data.
4. Updated audit documentation relative changes in IT, new process and new controls to help facilitate effective audit planning, walk-through and control testing (KPMG,2012 ).
There are four different cloud deployment models including public, community, private and hybrid cloud environments. For example, SaaS usually operates within the public model whereas it is available to everyone with an Internet connection such as salesforce.com serving business-to-business (B2B) companies. Salesforce.com focuses on managing customer details and running sales campaigns; a typical customer relationship management (CRM) platform will be defined later (Sherif Kamel, Mariam Abouseif, 2015).
In Egypt, Cloud computing is the methodology that helps organizations to provide the maximum amount of IT efficiency and makes it possible to store, manage and analyze information in the world with its steady growth. It reflects a new consumption, supplement, and delivery model for IT services. It offers the computing processing power, storage, network bandwidth, software usage, software development, testing, security, identity as services over the Internet. The Ministry of Communications and Information Technology (MCIT) addresses Cloud Computing, Data Centers, Integrated Solutions, and Web 2.0 as top priorities in the international ICT agenda.
Towards this end, many agreements have been signed with foreign authorities in Germany, Malaysia, and Singapore for the purpose of sharing their expertise in terms of preparing Egyptian calibers to join this new industry.
Cloud computing offers tremendous cost-effectiveness by providing a ‘pay per use’ model and ensures professional management of the infrastructure. It is fair to say that this model is bound to change the fa”ade of IT usage across the world in the immediate near future.
It is expanding and becoming a popular solution among businesses worldwide when it presented efficient and optimistic results Increased revenues, expanding businesses, and new job creation, not limited to the information technology sector, are all possible through the extensive use of cloud computing (MCIT.com,2016).
National Telecom Regulatory Authority (NTRA) Communications addresses the four telecommunications companies in preparation to launch fourth-generation licenses, according to statements made by; the Minister of Communications and Information Technology Yasser judge The minister said that “before the end of the month of May 2016 will be the completion of the licenses to begin offering, the device has already called for the three companies (Vodafone, Orange and Telecom Egypt) to buy licenses”. Fourth-generation will allow users to deal with the Internet at high speeds, for example, will be able to deal with cloud computing.
1.2 Characteristics of cloud computing
Cloud computing services have characteristics which distinguish them from other technologies:
As a rule, cloud computing users do not own the IT resources they use, the servers they exploit being hosted in external data centers.
Services are provided via the pay ‘ per- use model or subscription model.
The resources and services provided to the client are often virtual and shared among several users.
The services are provided via the internet.
With these characteristics, cloud computing technology is a new solution giving users the option to access software and IT resources with the desired flexibility and modularity and at very competitive prices (Maaref, S.,2012).
1.3 Description of the main cloud computing services
Cloud computing comprises five types of services:
Infrastructure as a Service (IaaS ): Virtualized on-demand server, virtualized data center, flexible on-demand storage space, flexible local networks (LANs ), firewalls, security services, etc.
Platform as a service (PaaS ): platform for cloud computing services provision ( customer service management, billing, etc.)
Software as a Service (SaaS ): business applications, customer relations, and support (CRM), HR, finance (ERP ), online payments, electronic marketplace ( for very small and small and medium-sized enterprises), etc.
communication as a Service ( CaaS ): audio/ video communication services, collaborative services, unified communications, e-m ail, instant messaging, data sharing (web conference ).
A network as a Service (NAAS ): managed internet (guaranteed speed, availability, etc.), virtualized network (VPNs) coupled with cloud computing services, flexible and on-demand bandwidth (Maaref, S.,2012).
1.4 Legal framework of cloud computing
Governance in cloud computing mode
Comparison between the cloud computing and conventional “hosted applications” modes.
Comparison between the cloud computing and “licensed software” modes.
Interoperability and reversibility in cloud computing (Maaref,S. ,2012).
1.5 Research problem and Questions
The main problem can be represented as follows: What is the impact of cloud computing on the external auditors work? This can be summarized in the following points:
What is the methodology used by the external auditor towards the cloud computing to ensure the quality of the process?
What are the requirements needed by the external auditor in Egypt to face new risks associated with practice of cloud computing?
Is the external auditor in Egypt able to audit financial statements data’s for cloud computing process, and face its challenges in light of his current skills?
1.6 Research Objectives
The major reason and main objective behind choosing this topic is to define the role and responsibility of the external auditor towards the cloud computing. Identify the requirements and characteristics of cloud computing, Describe the approaches of E-Auditing that dealing with information systems. It led us to know the obstacles that stand in the face of cloud computing in Egypt.
How transactions are recorded on cloud computing?
The major risk facing cloud computing Accounting and Auditing.
Are external auditors in Egypt qualified and well trained to do this type of audit?
1.7 Research Hypotheses
The empirical study will be conducted through a self-developed questionnaire distributed among the external auditors (CPA Firms, Bank, and university stuff). The survey will be conducted based on a quantitative perspective. This study aimed to examine the role and responsibility of the external auditor towards the cloud computing activity. In order to assess the validity of the hypotheses in this research, the researcher has a different set of hypotheses to be used, as follows:
“H” _”\0\1″ There is a relationship between cloud computing activity and current skills, knowledge and qualification of Egyptian auditors in Egypt.
“H” _”\0\2″ There are impacts of cloud computing on the audit report.
“H” _”\0\3″ There are impacts of cloud computing on the risks of the audit process in Egypt.
“H” _”\04″ Cloud computing requires sufficient qualifications for auditors in the use of new technological tools used in the field of accounting.
1.8 Research Methodology
1.8.1 Theoretical study
This research will focus on two corners; the first corner for accounting and how the transactions are recorded in approved documents. The second corner will focus on studying the role and responsibility of the external auditors and its impact of cloud computing on the external auditor’s work. The third corner is studying cloud computing, in general, to understand how it operates. Therefore, the aims of the theoretical study are:
Identify the requirements and characteristics of cloud computing.
To explore whether the external auditors are able to make an audit planning, audit process, and audit report.
Identify the impacts of cloud computing on the risks of the audit process in Egypt.
1.8.2 Empirical Study
The Empirical study will start where the theoretical part left off, it will be conducted through self-developed questionnaire among the companies. It tackled the factors that were recognized through the theoretical section. The survey will be conducted based on a quantitative perspective. The factors will test to realize the level on which the role and responsibility of the external auditors are influenced by these factors. The study objective is to examine if the different factors have a direct effect on the level of responsibility of the external auditor. The different factors’ effects will analyze using SPSS program using statistical techniques such as multiple regression and means analysis.
The samples will focus on accountants working in cloud computing, external auditors within the auditing firms in Egypt and companies working with cloud computing.
1.9 Research Structure
The thesis structure is divided into five main chapters as follows:
The first chapter is the General framework introduction.
The second chapter discusses the role of accountants their problems, evidence, major risk facing accountants and tax.
The third chapter discusses the auditors’ background, role, responsibilities and challenges.
The fourth chapter discusses the cloud computing Background, Types, Security and Risks.
The fifth chapter discusses the empirical study’s finding, results and
conclusion of the whole thesis paper.
1.10 Literature Review
1) Bisong, A., & Rahman, M. (2011). An overview of the security concerns in enterprise cloud computing:
Objectives: In this paper, they have discussed security risks and concerns in cloud computing and enlightened steps that an enterprise can take to reduce security risks and protect their resources. The authors have also explained cloud computing strengths/benefits, weaknesses, and applicable areas in information risk management. This paper discussed the cloud computing security concerns and the security risk associated with enterprise cloud computing including its threats, risk and vulnerability.
Findings: Cloud computing is a combination of several key technologies that have evolved and matured over the years. Cloud computing has a potential for cost savings to the enterprises but the security risk is also enormous.
Enterprise looking into cloud computing technology as a way to cut down on cost and increase profitability should seriously analyze the security risk of cloud computing.
The strength of cloud computing in information risk management is the ability to manage risk more effectively from a centralized point. Security updates and new patches can be applied more effectively thereby allowing business continuity in an event of a security hole. Cloud computing weakness include the list of issues such as the security and privacy of business data being hosted in remote 3rd party data centers, being lock-in to a platform, reliability/performance concerns, and the fears of making the wrong decision before the industry begins to mature.
Enterprise should verify and understand cloud security, carefully analyze the security issues involved and plan for ways to resolve it before implementing the technology. Pilot projects should be setup and good governance should be put in place to effectively deal with security issues and concerns. Authors believe the move into the cloud computing should be planned and it should be gradual over a period of time.
Comments: This paper discussed the overview of security concerns in enterprise cloud computing while they did not explore the risk that will face the auditors and external cloud computing.
2) P.Krubhala and K.SaravanaKumar (2013), Dynamic auditing and accounting mechanism for policy based data access in cloud:
Objectives: Cloud computing is advancement in the field of information technology. The terminology cloud computing can be illustrated as the pay-as-you-use model in which this framework includes collection task where they are assigned to the clients who need it. Without the features of the internet, it’s impossible to provide a cloud environment. Lots of gains can be achieved through the cloud such as scalability, availability, flexible, lots of storage space, low cost and so on.
Although it embraces these benefits the major venture of cloud technology is that security and confidential of data stored and shared within or between the third party environment. In order to overcome this problem, the audit ability scheme can be endowed where this methodology supports to check the integrity of the data being stored and allows for the user data privacy. Further, the authors’ work also proposes the accounting mechanism for metering the resource usages where the system encloses user data along with their policies. The result of accounting mechanism is the generation of the log record.
Finding: The assurance cloud security is achieved by imposing both the auditing and accounting features. These are the major two features considered to solve the security-related issues in the cloud. Finally, they achieved the monitoring process in the cloud environment by proposing an efficient accounting mechanism which generates the log record as the result of the accounting function. In addition to that, it increases the level of security by allowing the data owners to specify their service level agreements which are the contract between the service providers and users to maintain their data secure. To improve the level of security the proposed work also allows verifying the integrity of the cloud storage. This can be achieved on the basis of allowing a third party auditor to audit the data and also it supports for the batch auditing and dynamic modification of the data in the cloud.
Comments: The authors propose the accounting mechanism for metering the resource usages where the system encloses user data along with their policies. The result of accounting mechanism is the generation of the log record while this thesis continues to record sufficient evidence documents to be audited.
3) Trivedi, H. (2013). Cloud Adoption Model for Governments and Large Enterprises: Submitted to the Mit Sloan School of management in partial fulfillment of the requirement for the degree of Master of Science in management studies at the Massachusetts institute of technology:
Objectives: it’s summarized in How should the government, public sector or a large enterprise go about adopting cloud? Is there a particular path to be followed? Are certain steps necessary to cloud adoption process? Do certain characteristics define organizations in the process of cloud adoption? Should certain competencies be developed for a successful move to the cloud? How do different organizations at different stages of cloud adoption look different from each other? Are there any examples to refer to? The objective of this thesis is to answer these questions by studying in depth large enterprises and governments which are either thinking of moving to the cloud or have taken steps to adopting cloud, identify any emerging patterns, explore drivers of cloud computing, and craft a model for cloud computing adoption.
Finding: Cloud is known as different things to different audiences but agencies such as NIST have cleared the mist to some degree. As organizations across the public sector and private sectors understand what cloud means for them, they are looking to act and deploy cloud solutions. Some organizations, studied as part of this thesis, have made significant progress in their journey to cloud and others are just about starting. These organizations offer tenable insights into what makes for a successful cloud program and the required competencies. Certain themes such as application rationalization and modernization, standardization, centralized governance (IT Monarchy / Business Monarchy or IT Monarchy / Federal Combinations), and change management have revealed themselves as common threads. The journeys specifically have been marked by proof of concepts, technology selection, infrastructure service, and platform service as milestones. The organizations at different stages of cloud adoption exhibit different characteristics and possess distinct competencies, and organizations should not bite more than they can chew, lest their programs fall flat. Furthermore, what might constitute a success for one organization might turn out to be a not so successful initiative for another organization as evidenced by virtual desktop. Last but not the least, cloud programs require competencies that organizations have tried to master for many decades now but what makes them different in the context of cloud are the scale i.e., cloud programs touch every piece of hardware, development platform, and enterprise software application in an organization and will potentially run for at least a decade for a large organization.
Comments and areas of further study: The thesis has attempted to explore in detail cloud adoption examples from a wide cross-section of organizations, raise questions and answer them. But many key questions still remain and these can be further areas of study. The Cloud Adoption Model discussed in this study is based on private cloud deployments. Increasingly organizations are looking at hybrid deployment models comprising private and public clouds. Further study can be done to understand cloud adoption in a hybrid scenario. The model equates the context of governments and large enterprises. The generalization has enabled the formulation of a model but ignored any specific procurement and adoption patterns. The model can be studied further to identify differences between adoption for governments and large enterprises. All of the organizations studied are in the process of adopting cloud. It shall be worthwhile to investigate those organizations where cloud program was executed but the results were not as per expectations. This shall test the tenets of the proposed adoption model and also suggest modifications. Cloud by its nature converts ostensible vertical silos into horizontal discs expected to perform different functions. Will such a horizontal, based on common standards, of verticals enable flexibility or impede it in the future when businesses change? As organizations leap into the future by executing cloud programs, they are also rooted in the past through a landscape of legacy applications, many of them business critical. Cloud programs offer the opportunity to rationalize and modernize those applications but to what extent should organizations returned legacy applications? How can organizations optimally manage their legacy and cloud platforms? Last but not the least; is it likely in any scenario for an organization to move back from cloud platform to a non-cloud platform? What could be the reasons behind such a move and how will it impact the platform strategy of future?
4)Brender, N., and Markov, I. (2013). Risk perception and risk management in cloud computing: Results from a case study of Swiss companies:
Objectives: In today’s economic turmoil, the pay-per-use pricing model of cloud computing, its flexibility and scalability and the potential for better security and availability levels are alluring to both SMEs and large enterprises. However, cloud computing is fraught with security risks which need to be carefully evaluated before any engagement in this area. This article elaborates on the most important risks inherent to the cloud such as information security, regulatory compliance, data location, investigative support and provider lock-in and disaster recovery. The researchers focus on risk and control analysis in relation to a sample of Swiss companies with regard to their prospective adoption of public cloud services. The researchers observe a sufficient degree of risk awareness with a focus on those risks that are relevant to the IT function to be migrated to the cloud. Moreover, the recommendations as to the adoption of cloud services depend on the company’s size with larger and more technologically advanced companies being better prepared for the cloud. As an exploratory first step, the results of this study would allow to design and implement broader research into cloud computing risk management in Switzerland.
Finding: Cloud computing presents some important risks which should be assessed by any enterprise considering engagement in this area. The main contribution consists of an empirical study of a sample of Swiss companies which aimed at analyzing the understanding of the risks that public cloud services present and how they can be managed. Even though the sample size is very limited, Authors can see sufficient awareness of both the risks and the management solutions. The authors of the reports have consulted the large volume of literature pertaining to cloud computing risks with some of the reports referring to the Swiss regulatory context as well. There is also a degree of originality in the reports as they have considered the risks in the specific context of the concerned companies and according to their needs and capabilities.
As authors could see, the detail and focus of the reports correspond to the particularity of the IT function to be migrated to the cloud. Therefore the reports were not just mere recounts of existing literature but show business awareness and planning capabilities. As far as the final recommendations of whether to go on the cloud are concerned, authors found that they depend on the company’s size, technological expertise, and corporate culture but not on the criticality of the process or sensitivity of the data to be migrated. The flexibility and cost-efficiency of the cloud should be more attractive to Small and Medium-sized enterprises (SMEs) as compared to large companies. On the other hand, there may still be a certain level of mistrust in SMEs regarding the cloud as they lack sufficient expertise and risk management skills. Indeed, the reports suggest that large companies are better prepared for the adoption of cloud services. Nevertheless, as this paper has shown, understanding, assessment, and mitigation of the risks are vital when it comes to cloud computing. Once these steps have been properly addressed, where necessary with the help of external advice, the cloud may not look like such a dangerous place even for SMEs.
Comments: they stress again on the limited nature of the study whose purpose was to serve as an introductory exploration of the risk analysis with regard to prospective adoption of cloud services. These findings cannot be extrapolated to all Swiss companies also this thesis will be applied on Egyptian companies and CPAs firms, but allow to devise a stricter and more rigorous methodology for further studies based on interviews, questionnaires or quantitative surveys.
5) Zhang, C. (2014).Challenges and Strategies of Promoting Cloud Accounting:
Objectives: Cloud accounting, as a new mode of accounting information model, plays an important role in enterprise accounting informationization process. Compared with the traditional accounting informationization system, cloud accounting boasts the advantage of low investment cost, low maintenance costs, low barriers to entry, while as the continuous development of cloud accounting, relevant problems raise one from another such as poor security, unique services. To solve these problems in order to promote the popularization and application of cloud accounting in enterprise requires the joint efforts of enterprises, suppliers and government.
Finding: cloud accounting as a new accounting online accounting service has its unique advantages, but it also faces many challenges in the application process. Cloud accounting suppliers should consider how to improve the security, functionality and public recognition of cloud accounting services, contributing to sound and healthy development of cloud accounting services, and allowing more companies to accept and adopt cloud accounting services. With the gradual improvement of accounting services cloud model, the large enterprises, multinational organizations will adopt this model to make cloud accounting develop and popularize faster in future so as to facilitate the process of accounting information technology.
6) Abd Al-kaderkalaf,O., and Ayyed.,E. (2015).IT Auditing to Assure a Secure Cloud Computing for Enterprise Applications
Objectives: Following are summarized objectives of the study :
To present and study the detailed framework of the cloud computing for enterprise applications.
To design and implement the large database based enterprise application for the cloud computing environment.
To implement the IT auditing mechanism for the security purpose.
Finding: In this research project, they are discussing over the cloud computing paradigm evolvement for the large business applications like CRM as well as introducing the new framework for the secure cloud computing using the method of IT auditing. In this case, the approach is basically directed towards the establishment of the cloud computing framework for the customer relationship management (CRM) applications with the use of checklists by following the data flow of the CRM application and its lifecycle. Those checklists are prepared on the basis of models of cloud computing such as deployment models and services models. With this project, the main concern is to present the cloud computing implications through the large database enterprise CRM application and achieving the desired level of security with design and implementation of IT auditing technique. They claim that with this proposed methods for the CRM applications, they will provide the security, regulations, and compliance of such cloud computing environments.
7) Kamel, S. , Abouseif, M. ( 2015) . A Study of the Role and Impact of Cloud Computing on Small and Medium Size Enterprises (SMEs) in Egypt:
Objectives: This paper aimed to analyze the business potential of offering cloud computing services to small and medium-sized enterprises (SMEs) in Egypt. It addressed the challenges that need to be tackled to maximize the utilization of cloud computing services and the role and prospects to be played by SMEs in transforming the economy in Egypt. SMEs are invaluable to fuel economic development and growth as well as creating employment opportunities in emerging economies especially in markets like Egypt with a massive youth opportunity represented by the current population demographics and projected growth ratios. The combination of youth, technology and the emergence of an entrepreneurial culture could represent the successful and much-needed ingredients for an ideal platform to support socioeconomic development moving forward. Several previous studies indicated a clear correlation between the proper adoption, diffusion, and adaptation of information and communication technology (ICT) and the development and growth of revenues and jobs among startups due to the prospects of emerging technologies that can categorically empower SMEs. In the world of cloud computing, ICT can help SMEs leverage an already existing and growing interconnected global community of consumers, businesses, industries, and markets of unprecedented and still growing size.
This study highlighted some of the facts and developments in the space of SMEs and the emerging role ICT is playing in the entrepreneurial ecosystem with a focus on cloud computing deployment and the associated challenges, opportunities and underlying potential in the context of an emerging economy, Egypt. The research methodology deployed in the study is primarily based on qualitative data generated through a series of one-to-one semi-structured interviews with different representatives of various stakeholders.
Finding: This research concluded that the cloud computing is arguably the most innovative breakthrough the IT industry has witnessed since the move from mainframes to personal computers. Entrepreneurs are increasingly looking at cloud solutions for regular analysis of data that can help grow their businesses.
However, with the opportunities created that are mentioned above such as organizational cost savings and flexibility to scale-up or down the IT infrastructure, there are still a variety of impediments. In the context of SMEs in emerging economies, there is a great interest in cloud computing given the less complexity required and the opportunities created.
Based on this study and confirming other previous studies, greater use and diffusion of ICT among SMEs and with the rapid penetration of cloud computing by SMEs, the potential to boost productivity and create job opportunities could be magnified. In other words, the concrete impact could be both economical and societal. In general, the adoption of cloud computing offers smart, quick and efficient services that can help achieve local and global competitiveness, the critical success factor remains the availability of the required human skills and capacities.
Arguably, with the proper deployment of emerging technologies and new business practices, SMEs can grow by about 20% per year as indicated by many of the entrepreneurs and experts interviewed for this study. However, effective investment in human capital is a priority. They are the differentiating factor and they need to be aware and knowledgeable of what technology can offer. The promising future of Egypt as is the case of many emerging economies will depend less on a few large leading projects in traditional industries and businesses and more on the widespread of unconventional innovative and entrepreneurial ideas and projects that would engage the technology youth community and that can help create a platform for job creation and employment. Startups and SMEs are agents of change and vehicles for economic development and new industries, new breakthroughs and new ventures were always created by new and growing companies.
To sum it up, Egypt needs to establish an ICT-driven ecosystem capitalizing on a creative and talented youth opportunity that can become the base for an entrepreneurial culture and a startup nation.
8) Koparkar, P., & MacKrell, D. (2016). How Fluffy is the Cloud?: Cloud Intelligence for a Not-For-Profit:
Objectives: Business Intelligence (BI) is becoming more accessible and less expensive with fewer risks through various deployment options available in the Cloud. Cloud computing facilitates the acquisition of custom solutions for not-for-profit (NFP) organizations at affordable and scalable costs on a flexible pay-as-you-go basis. In this paper, they explored the key technical and organizational aspects of BI in the Cloud (Cloud Intelligence) deployment in an Australian NFP whose BI maturity is rising although still low. This organization aspires to Cloud Intelligence for improved managerial decision making yet the issues surrounding the adoption of Cloud Intelligence are complex, especially where corporate and Cloud governance is concerned. From the findings of the case study, a conceptual framework has been developed and presented which offers a view of how governance could be deployed so that NFPs gain maximum leverage through their adoption of the Cloud.
Finding: In this paper, the authors argued that cloud governance is essential in this process to align organizational goals with the benefits that can be gained from cloud deployment. They presented a conceptual framework in which suggests that responsibility of governance should remain within the organization, although the responsibility of managing other IT functions may usefully be handed over to the cloud provider. Cloud governance facilitates a better fit for cloud computing services into existing processes of organizations to achieve business and financial objectives. Cloud governance assists to maintain centralized decision-making process which is in-line with the overall strategy of the organization. Governance is not something that can be considered as ‘nice-to-have’, it is something that every organization ‘needs-to-have’. There are undoubtedly a number of risks and uncertainties in transitioning to the cloud, so strong governance and control are an essential part of any decision to move to the Cloud.
This paper represented in one document some of the issues along with governance, security, and risk management issues associated with cloud computing before making any decision about implementing cloud intelligence. A major contribution of this study would be towards the practical aspects of understanding the technological needs of an NFP organization and tackling accordingly the security concerns and threats that arise from using the cloud. As more and more data moves from on-premises to the cloud, it will become more feasible for NFPs and SMEs to deploy BI in the cloud.
Comments: One of the limitations of this paper was that the frameworks have not been validated against supporting data at an operational level. Further research would be required to provide evidence of the effectiveness and feasibility of having in-house cloud governance by SMEs and small NFPs.
Nevertheless, the views presented in this paper about the responsibilities of governance have the potential to stimulate debate.
9) Gholami, A.(2016). Security and privacy of sensitive data in cloud computing: a survey of recent developments:PHD.Thesis Stockholm, Sweden 2016
Objectives : Cloud computing is revolutionizing many ecosystems by providing organizations with computing resources featuring easy deployment, connectivity, configuration, automation, and scalability. This paradigm shift raised a broad range of security and privacy issues that must be taken into consideration. Multi-tenancy, loss of control, and trust are key challenges in cloud computing environments. This paper reviewed the existing technologies and a wide array of both earlier and state-of-the-art projects on cloud security and privacy. They categorized the existing research according to the cloud reference architecture orchestration, resource control, physical resource, and cloud service management layers, in addition to reviewing the existing developments in privacy-preserving sensitive data approaches in cloud computing such as privacy threat modeling and privacy enhancing protocols and solutions. Also, it can be summarized in 3 main questions as follows:
Q1: Can they develop a methodology to formulate privacy
requirements and threats to facilitate compliance with data
Q2: How do author build privacy-preserving cloud-based systems
from existing approaches in security and privacy?
Q3: How do author increase the safety of an Operating System
(OS) by reducing the risk of kernel exploits?
Finding: This paper surveyed recent advances in cloud computing security and privacy research. It described several cloud computing key concepts and technologies, such as virtualization, and containers. They also discussed several security challenges that are raised by existing or forthcoming privacy legislation, such as the European Union( EU), Data Protection Directive (DPD) and the US Health Insurance Portability and Accountability Act (HIPAA).
The results that were presented in the area of cloud security and privacy are based on cloud provider activities, such as providing orchestration, resource abstraction, physical resource and cloud service management layers. Security and privacy factors that affect the activities of cloud providers in relation to the legal processing of consumer data were identified and a review of existing research was conducted to summarize the state-of-the-art in the field.
Problems solved by cloud accounting
The role of ledgers
The cloud accounting general ledger project
Problems with current business ledger
How transactions are recorded on cloud computing
List of companies in Egypt using cloud computing
Tax , tax accounting and value added tax (VAT)
Qualifications of external auditors in Egypt
2.Chapter two: Cloud Accounting Background
Contemporary organizations are the target of a continuous ‘data bombardment’, therefore they quickly reach the need for an efficient way to convert the received data into correctly structured information, able to provide decision support or competitive advantages. Any decision taken at the organizational level, may it be the construction of a new building, or the migration of a business service towards the cloud, requires pertinent and usable information. The accounting professionals working in IT organizations, or in any kind of organization which takes into account the adoption of cloud-based services, often considered that the final decision for or against the adoption of such services exceeds their competence, being the exclusive prerogative of the IT department (Tarmidi, M. et al., 2014). The current paper is an attempt to demonstrate the way an accounting or audit professional may be implied in the final decision regarding a migration towards the cloud, and also the way such professional may use her own knowledge and experience in order to positively influence the final decision, by providing solid points and properly performed efficiency calculations.
As the cloud-based technologies gain more customers each day, the need for understanding the ‘economics of cloud’ arises, together with the need for strategic measurement of different cloud or non-cloud-based infrastructure options. In such context, the option for the cloud technologies cannot be the duty of the IT department only, as the economic drivers are at least as important as the technological ones. Economic measurement of the future cloud computing implementations is required for at least two reasons. First, all types of implementations are investment projects and, by consequence, need to be fully justified before being chosen or rejected. Second, once a cloud strategy is adopted and an infrastructure is implemented, the implementation must be continually monitored, so the organization can be sure that it continues to deliver an optimal return on investment. Gaining maximal return on the implementation of a cloud computing strategy is predicated on the ability to understand the economic metrics. Therefore, the accounting professional can no longer be a simple observer in the process of cloud migration and cloud adoption, but a central piece and a ‘voice of reason’ standing between the typical enthusiasm of the IT department and the typical skepticism of the management
( Mangiuc, D.,2017).
2.2 What Is Accounting?
Accounting can be defined as follows: the systematic recording, reporting, and analysis of financial transactions of a business. Accounting provides financial information to stakeholders. Stakeholders include banks, suppliers, investors, government agencies, and people engaged with an organization, such as its owners and employees. Banks need financial information to assess the condition of a firm before lending money. A profitable organization with positive cash flows can easily acquire loans as compared to one suffering heavy losses and little money. Suppliers need financial information to consider trade credit. Investors will invest their money only in profitable organizations. They determine the profitability of an organization by reading its financial statements. Every business concern is bound by law to report on its revenue and expenses to local government agencies for income tax purposes. In a nutshell, accounting performs the following tasks:
Evaluates profit or loss of a business concern
Provides detailed information about a firm’s net worth
Reports on assets, liabilities, owner’s equity, and profitability (Ahmed, R.,2016).
2.3 The Accounting System
Organizations use accounting systems (either manual or computerized) to store, manage, and provide their financial information to their stakeholders. These systems are implemented to produce financial statements, including income statement, balance sheet, and other accounting reports. They store detailed records of accounts, such as cash, accounts receivable (due from customers), accounts payable (due to suppliers/banks), fixed assets, stocks, and so on (Ahmed, R.,2016).
2.4 Common Problems solved by cloud accounting
The value of cloud-based software is becoming increasingly apparent in accountancy. A number of everyday problems can be extricated through the use of cloud accounting ‘ freeing you up to work smarter and faster while simultaneously increasing your overall productivity.
Here are just some of the common accounting problems that can be overcome with cloud-based software:
Problem(1): Out of data records
Solution: Real-time updates
Cloud-based software allows you and your clients to access data anytime, anywhere and on any device. This makes it possible to keep on top of your business or your client’s accounts and make decisions based on real-time information. As it is accessible by multiple users, communication and collaboration with clients are made much easier too.
Problem(2): Loss of data following physical computer damage
Solution: Data stored remotely, not on an individual system
The cloud is one of the most secure ways you can store data. If your laptop is stolen, you don’t need to worry about someone gaining access to your client’s spreadsheets as they won’t be stored on the hard drive but rather on a remote server hosted on the Internet. The same applies if your computer is damaged or files are accidentally wiped clean.
Problem(3): Data can only be accessed from your office
Solution: Remote access allows flexible working
When information is stored offsite, you have the flexibility to work remotely. Not having to take a round trip back to the office if you’ve been visiting a client saves you time and helps you meet your deadlines whilst working in a way that suits you.
Problem(4): Accounting systems are expensive
Solution: Cloud-based software is affordable and scalable
It can be very expensive to keep up-to-date when using traditional software. It can also be complicated and time-consuming when systems fail; not to mention difficult to guarantee security and keep secure back-ups of data.
Cloud based-software is much simpler to maintain and eliminates the need for an IT specialist; saving money that can be better spent elsewhere. Cloud accounting systems are also flexible and can grow as a business grows so that you’re always offered a bespoke option that matches the demands of your businesses or clients rather than paying for a service which is either too big or too small for the current size of your operations( www.liquidaccounts.com).
2.5 Why companies should use cloud accounting?
If you are like most startup business owners, you are passionate about the work you do. You know that to grow, you will need to dedicate time and money to your company. Your peers and mentors have been suggesting accounting software. Why use accounting software? More than likely, you don’t want to pour resources into your accounting program, but there are ways that cloud accounting software can help you avoid wasting bankroll.
Have you been up against any of the startup problems below? Here are seven ways that online accounting software can help solve them:
( Cameron, A.,2016).
Problem 1: Your financial records are disorganized
How many times have you dug through financial records to find one document? And, we all know the frustration of staring at a computer screen, trying to remember the name of a spreadsheet buried on our hard drive.
Solution: Cloud accounting software streamlines your books.
With online accounting software, you can organize your records in one place. You store your information in the cloud. You can access your accounting from anywhere with an Internet connection.
Problem 2: You are on a tight budget
If you are like most startups, you operate on a tight budget. You want to spend money on growing your business, not overhead costs like an accounting program.
Solution: Cloud accounting software is a low-cost accounting fix.
Online accounting software might be a good fit for new business owners that want to be responsible for tracking their finances without paying high prices.
You can find basic accounting software programs offered for low monthly subscriptions. Some packages include a free trial and no long-term contracts.
Doing your own accounting eliminates the need to hire an in-house bookkeeper and reduces the use of an outside accountant.
Problem 3: You are not good with numbers
How good are you with numbers? Handling your company’s finances with a calculator is not an ideal situation. People make mistakes, and mistakes in your accounting books can be costly.
Solution: Online accounting software computes figures.
Your chances of computing inaccurate figures are far less when you use accounting software. You simply enter your transaction information and the software program calculates figures for you.
Instead of spending hours calculating and checking your numbers, you can let accounting software take care of all the equations for you.
Problem 4: Cash flow keeps you up at night
The best way to project cash flow is to examine detailed, accurate records of your transactions. When your financial statements are mixed in with receipts, quotes, and your child’s school supplies list, you could spend a lot of extra time projecting cash flow.
Solution: Cloud accounting software tracks up-to-date information.
Cash flow helps you understand your income and expenses. Knowing all the moving parts of your accounting gives you a clear picture of your business’s finances.
Cloud accounting software lets you see the location of every penny your company has as each one comes and goes. Cloud accounting software can track unpaid invoices, 1099 payments, and bank transactions. All this information gives you the tools to project cash flow.
Problem 5: You are not an accounting expert
When you start a business, all the tasks of running a company fall on your shoulders. But, hiring extra help is not financially ideal to lighten the workload.
Solution: Get help from experts with cloud accounting software.
Many accounting software companies offer free customer service and support. Customer service representatives answer your questions about the software. You can contact customer service representatives through phone, email, or online chat.
Online software also makes it easier to share information with a financial professional. Accountants help you through difficult accounting practices, like filing taxes. Using cloud accounting software gives your accountant the flexibility to view your records and advise you from anywhere.
Problem 6: You don’t have time for accounting
Filling out paperwork and formatting business documents doesn’t make you money. These tasks can also be very time-consuming.
Solution: Cloud accounting software saves you time.
You can generate pre-set forms with accounting software. You just fill in the blanks. Some cloud accounting software allows you to create and print invoices and 1099s. Cloud accounting software helps you quickly create forms and get back to running your business.
Problem 7: Your records are not protected
Your financial records are too important to risk them being destroyed, lost, or stolen. Even with insurance, you might not be able to recover information from paper documents if something happens. If you store records on your hard drive and your computer gets damaged, your records are gone.
Solution: Cloud accounting software is safe and secure.
Online accounting software stores your information in the cloud. This means that no matter what happens to your computer, your financial information is safe. Software companies protect your accounting records with secure servers, passwords, and encrypted data ( Cameron, A.,2016).
2.6 The role of ledgers
In today’s connected and integrated world, economic activity takes place in business networks that span national, geographic, and jurisdictional boundaries. Business networks typically come together at marketplaces where producers, consumers, suppliers, partners, market makers/enablers, and other stakeholders own, control, and exercise their rights, privileges, and entitlements on objects of value known as assets. Assets can be tangible and physical, such as cars and homes, or intangible and virtual, such as stock certificates and patents. Asset ownership and transfer create value in a business network and are known as transactions. Transactions typically involve various participants like buyers, sellers, and intermediaries (such as banks, auditors, or notaries) whose business agreements and contracts are recorded in ledgers. A business typically uses multiple ledgers to keep track of asset ownership and asset transfers between participants in its various lines of businesses. Ledgers are the systems of record (SORs) for a business’s economic activities and interests (Brakeville S., Perepa B.,2016).
2.7 The Cloud Accountant General Ledger Project
Running your business gets a whole lot easier when you can access your books anywhere and anytime. The Cloud Accountant being developed is a complete double entry cloud accounting application that lets you keep in touch with your business all the time. The intensely competitive market in today’s economy requires that managers continuously improve the way they work and make decisions. Today’s successful managers demand instantaneous information that is both accurate and useful. A traditional desktop accounting system simply cannot cope with these high demands. Only by taking advantage of the power of the latest technology can these demands be met. The goal of the Cloud Accountant is to remove most of the boring bookkeeping work from the business. The application will take over all the simple and monotonous tasks that can eat up precious time. For instance, it will automate all period-end tasks such as closing the books, transferring the closing balances forward, and so on, with just a few clicks. It also facilitates the recording of all purchase and sales transactions, bill payments, and so on. Since the application can process and retrieve business transactions instantly, there will be a quicker response time to customers, suppliers, and creditors, which will ensure better business relations. In addition, it will produce professional-looking financial reports and accounting records quickly and easily. The Cloud Accountant will free up more time, which can be used to work on improving other areas of the business. A paperless environment means less work and less confusion since all information is stored electronically and can be accessed instantaneously. A computerized system will also produce more accurate records. The logic created in this application ensures that all entries are posted properly and that the calculations of key financial data are done correctly. This greatly reduces the potential for human error that is prevalent in manual accounting systems. Because of the inherent structure within the Cloud Accountant, the accounting system around the computer will be simplified and more organized. As a result, the flow of information in all stages of the business cycle will be more logical and efficient. Of great importance are the security features built into the application, which ensure that only authorized people to have access to company’s sensitive financial information. In this application, you will define your own security levels that will allow users to access only what you want them to access. This ensures that data will remain safe, can be easily maintained, and is neat and organized ( Ahmed, R.,2016).
2.8 Problems with current business ledgers
Current business ledgers in use today are deficient in many ways. They are inefficient, costly, nontransparent, and subject to fraud and misuse. These problems stem from reliance on centralized, trust-based, third-party systems, such as financial institutions, clearinghouses, and other mediators of existing institutional arrangements. These centralized, trust-based ledger systems lead to bottlenecks and slowdowns of transaction settlements. Lack of transparency, as well as susceptibility to corruption and fraud, lead to disputes. Having to resolve disputes and possibly reverse transactions or provide insurance for transactions is costly. These risks and uncertainties contribute to missed business opportunities. Furthermore, out-of-sync copies of business ledgers on each network participant’s own systems lead to faulty business decisions made on temporary, incorrect data. At best, the ability to make a fully informed decision is delayed while differing copies of the ledgers are resolved (Brakeville S., Perepa B.,2016).
2.9 How transactions are recorded on cloud computing
There are much software and applications using to record data on cloud computing such as blockchain technology and oracle application.
184.108.40.206 What is blockchain, exactly?
A blockchain is a tamper-proof, shared digital ledger that records transactions in a public or private peer-to-peer network. Distributed to all member nodes in the network, the ledger permanently records, in blocks, the history of asset exchanges that take place between the peers in the network. All the confirmed and validated transaction blocks are linked and chained from the beginning of the chain to the most current block, hence the name blockchain. The blockchain thus acts as a single source of truth, and members in a blockchain network can view only those transactions that are relevant to them (Brakeville S., Perepa B.,2016).
220.127.116.11 What are the business benefits of blockchain?
In legacy business networks, all participants maintain their own ledgers with duplication and discrepancies that result in disputes, increased settlement times, and the need for intermediaries with their associated overhead costs. However, by using blockchain-based shared ledgers, where transactions cannot be altered once validated by consensus and written to the ledger, businesses can save time and costs while reducing risks. Blockchain technologies promise improved transparency among willing participants, automation, ledger customization, and improved trust in record keeping. Blockchain consensus mechanisms provide the benefits of a consolidated, consistent dataset with reduced errors, near-real-time reference data, and the flexibility for participants to change the descriptions of the assets they own. Because no one participating member owns the source of origin for information contained in the shared ledger, blockchain technologies lead to increased trust and integrity in the flow of transaction information among the participating members. Immutability mechanisms of blockchain technologies lead to the lowered cost of the audit and regulatory compliance with improved transparency. And because contracts being executed on business networks using blockchain technologies are smart, automated, and final, businesses benefit from increased speed of execution, reduced costs, and less risk with timely settlements of contracts (Brakeville S., Perepa B.,2016).
2.9.2 Oracle Application Express ( APEX)
Oracle APEX applications are built on technology that resides within an Oracle Database, so all your applications can be easily run on any Oracle platform, from the Oracle Database Cloud Service to your in-house data center to Oracle Database XE on your laptop. Once you have developed an application either on your PC or in the cloud, simply export the application and then import into any other Oracle Database where you have a compatible version of APEX installed. Naturally, you may also deploy your application on the Oracle Database Cloud Service and then allow access to it from anywhere in the world ( Ahmed, R.,2016).
Digital evidence is information stored or transmitted in a binary form that may be relied on in court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant (PDA), a CD. Digital evidence is commonly associated with electronic crime, or e-crime, such as credit card fraud.
2.10.1The definition of a forensic accountant
Multiple terms can be used to describe the individual performing an investigation of a financial nature and may include ‘fraud examiner, fraud auditor; forensic auditor; fraud investigator; financial crime investigator.
According to the Canadian Institute of Chartered Investigators (2013), investigative and forensic accounting engagements ‘require the application of professional accounting skills, investigative skills, and an investigative mindset, and involve disputes or anticipated disputes, or engagements where there are risks, concerns of allegations of fraud or other illegal or unethical conduct’.
According to the Association of Certified Fraud Examiners (ACFE), a forensic accountant plays an important role in the investigation of crimes, such as fraud and corruption and consequently in civil and criminal proceedings. The forensic accountant will use accounting and investigative knowledge to assist in investigations and during litigation (ACFE, 2013).
According to KPMG (2013), a forensic investigation occurs ‘when suspicions of fraud, or bribery and corruption, or financial misconduct and mismanagement surface, specialist independent investigation, support, and advice are required to quickly and effectively deal with these issues’.
2.10.2 Electronic evidence
Evidence that allows assurance of accountability services, verification of compliance with the principles of accountability by service providers and attribution of responsibility for breaches within the chain of accountability is essential.
Traditional forms of evidence are:
Real evidence; and
Viva- voce evidence.
Electronic evidence can further be divided into three categories:
Documents or files that contain content have been written or created by one or more people;
Records that have been generated by a computer and where there is no human interference or input; and
Records that consist of both inputs generated by a computer and human inputs. (Mason, S., and Seng, D.,2017).
2.10.3 Audit and evidence-gathering
IaaS offerings support on-demand cloning of virtual machines. In the event of a suspected security breach, the customer can take an image of a live virtual machine ‘ or virtual components thereof ‘ for offline forensic analysis, leading to less downtime for analysis. With storage on tap, multiple clones can be created and analysis activities parallelized to reduce investigation time. This improves the ex- post analysis of security incidents and increases the probability of tracking attackers and patching weaknesses. However, it does presume the customer has access to trained forensic experts (which is not a standard cloud service as of writing).
It can also provide more cost-effective storage for logs, thus allowing more comprehensive logging without compromising performance. Pay as you go cloud storage brings transparency to your audit storage costs and makes adjusting to meet future audit log requirements easier. This makes the process of identifying security incidents as they happen more efficient ( Rev.B,2012).
2.10.4 Electronic document as an accounting evidenced
In order to obtain specifications presenting appropriately data recorded in the books, it is necessary to ensure
Completeness of information representing single accounting entry,
Creation of accounting specifications exclusively on the basis of verified and recorded accounting documents,
An effective way of linking accounting entries with an underlying source of documents.
The term “electronic document” refers to the form of a document, such as electronic invoice, print from the online banking system, electronic storage document, electronic ticket data from billing systems, etc.
When bookkeeping using the computer the accounting records, made automatically through communication devices, computer storage media or generated by an algorithm (program) on the basis of information already in the books are considered the equivalent of the source evidence.
Such provisions may also occur as a result of the introduction to the books of electronic documents constituting evidence of accounting. Entries entered automatically into the books of accounts (accounting system) shall be considered equivalent to provisions made on the basis of the source evidence, if they meet at least the following conditions:
When registering they become permanently readable and compatible with the contents of the relevant accounting documents.
It is possible to determine the source of the records and the person responsible for their introduction to the books of accounts and further modification.
The applied procedure provides validation of processing of relevant data and the completeness and identity of record.
Source data in place of their creation are properly protected in a way that ensures their persistence, for the period required to store a given type of accounting documents.
Accounting entries are made by a computer system in a sustainable manner, without leaving places to use later insertions or changes. The system provides protection for records against their destruction, modification or covering of entry. In addition, the records in the log and ledger accounts are linked in a way that allows checking their compatibility. Information system provides storage of records in the accounts for a period of not less than required by the Accounting Act.
Each accounting document is defined in the computer system by type of evidence, identification number, the parties engaged in a business transaction, a description of the operation, date of operation and preparation of evidence. These signs provide identification of accounting evidence and comply with the requirements of the Accounting Act. Accounting documents generated by the online system meet the conditions under the Accounting Act and the VAT Act for documenting events subject to VAT.
The collected documents, regardless of the place of origin, may be transferred, edited and accepted within the defined paths of the electronic circuit. Existing “migration” of paper information rules may be replaced by their electronic version, assuming their compliance with the original. It accelerates the way of operations of the company and improves the efficiency of its activities. As a result of the transition to electronic work-flow employees perform tasks in a shorter period of time, the team effectively uses the gathered jointly information and documents, and the company reduces costs resulting from normal transmission and archiving of documents. Programs for reading paper invoices that analyze scanned documents and automatically add to the information on the invoice are more and more commonly used. This allows you to export them to a file, import and proper entry in the accounting program, which is used by the company. An archive is automatically created and allows for the resignation of bulky paper files and searching for documents with the help of searcher and browse them directly in the accounting program. These applications are usually available online, so it does not require any additional installation, investment in hardware or expensive servers. Conditions to use them are an Internet access and a web browser ( Wyslocka, E., Jelonek, D., 2014).
2.11 Egyptian companies 🙁 CIT data base )
There are 6 main companies produce cloud computing service in Egypt:
Also, there are around 28 companies apply cloud computing in Egypt such as:
Chamber of Information technology and Telecommunication held an extensive meeting for member companies to announce the launch of their new initiatives titled by The Road to The Cloud on 29/1/2017. Chamber of Information technology and Telecommunication (CIT) aims to train 60 specialized companies to transfer their software to cloud computing to maximize the utilization of new technology breakthroughs and applications and to keep abreast of global technological transformation as part of its strategy to develop member tools and transfer all their latest and innovative technologies. Achieving growth rates commensurate with their objectives recognizing the new variables in the industry for external expansion and competition (http://ik.ahram.org.eg/News/22606.aspx).
2.12 The tax treatment for cloud computing
2.12.1 Characterizing Cloud Computing Transactions
Characterizing a cloud computing transaction is central to its treatment for sales and use tax purposes. Not only will this often determine whether the transaction is taxable at all, because the state generally may not tax the sale or use of services or intangibles, but even if the service or the intangible is taxable, the characterization of the transaction may have implications for where the transaction is taxable. In their approach to the characterization question, states understandably have often looked to general principles that they have employed in other contexts for characterizing transactions as well as to the particular rules that they have developed for characterizing transactions involving computer software (Thomson R.,2013).
2.12.2 Value Added Tax (VAT)
As part of the consultation exercise, some organizations asked if there are VAT implications in moving to the cloud and a SaaS model. This can be a complex area and organizations would need to take specialist advice from their own tax advisors if they have any concerns or particular issues. VAT is unlikely to be a significant issue for local authorities as they can recover both the VAT payable on cloud services as well the VAT payable on software and equipment purchases, and operating a data center. The implications of a move from traditional IT or from the capital to revenue expenditure are therefore more likely to impact on cash flow rather than budgets and overall costs.
2.12.3 Corporation tax
Corporation tax is only likely to become an issue if special purpose vehicles are used to supply services, for example using a limited company to provide shared services to several organizations. In such cases, you would expect to take specialist tax advice at the early stages of considering these types of corporate structures ( Thornton J.,2017).
2.12.4 Impacts on profit margins and pricing strategies
‘Some American companies have been very surprised by European VAT,’ says Anne Freden, Ernst & Young LLP Tax Partner. With their main offices, servers and content creation all in Silicon Valley ‘ and with customers in Europe who simply log on and access their offerings ‘ these enterprises have found that upward of 20% of what they were posting as revenue was actually owed as a tax. ‘For companies that have grown rapidly, what starts as a small exposure can get very large, very quickly,’ she says. Adds Bollard: ‘Especially if you’re in the business-to-consumer space, it is critical that you correctly factor the impact of VAT into both price points in the market and underlying margin expectations.’ ( Flynn C., 2015) .
With cloud computing as a catalyst for the overhaul of companies’ global cost structures and profit centers ‘ and with steadily increasing volumes of revenue moving through the cloud ‘governments have focused increasing attention on taxing cloud business.
This is primarily driven by one of two motivations:
While some governments focus longer term on building local digital economies ‘even offering CSPs tax incentives to locate in their jurisdictions ‘others are under severe pressure to raise public revenue after years of economic downturn. In addition, some governments seek to protect their local markets, others to preserve local cultural norms or censor unwanted content. Governments’ ability to keep up with the technology varies as well ‘often lagging behind the development of new business models. ‘Now, in the cloud, companies are doing things even more quickly, much more virtually. And that’s just going to increase,’ says Flynn. “Governments have to become more technologically sophisticated to understand this.’ ( Flynn C.,2015).
2.13 Cloud computing challenges
While the use of cloud computing continues to grow, the solutions being adopted are primarily Public clouds, which remain a minority of the overall enterprise IT estate.AS such, there appears to be a greater recognition amongst organizations that the risks relating to the cloud are not significantly different from operating other outsourced relationships or managed services solutions.
Control over cloud computing is vitally important, and many IA functions deploy specialist skills as necessary, including control risk, third-party management, information security and business continuity to assess all aspects and risks around cloud solutions effectively. The majority of organizations, however, are not increasing IA resource devoted to IT risks significantly over IT risk.
2.13.1 Examples of audit reviews could be:
Cloud services implementation: Evaluating the processes by technology to identify and monitor all sanctioned and non-sanctioned cloud service deployments across the organization. Ensure that the standard governance processes around selection, deployment, and security of cloud technologies throughout the business, including due diligence and no- boarding were followed and these are fit for propose. In the case of non-sanctioned or non-compliance cloud deployments, protocols exist to remediate.
service organization controls reviews : A baseline level of assessment over cloud services by scrutinizing the scope and coverage of service auditors reporting standard ( where applicable ) such as ISAE3402 or SSAE16 ( in terms of the systems covered and breadth of relevant control objectives and risks ) or leveraging such reports to gain assurance for internal audit purposes and evaluate vendor control environment (Including annual re-assessment/ benchmarking ).
Control risk and right to audit review: review contractual documentation negotiations with third-party cloud providers to assess against typical control risk and assure over whether a key element of the risk has been covered. Ensure ‘ right to audit ‘ clauses are included in contractual negotiations with cloud vendor so that internal audit has the right to access and review directly cloud vendor internal controls .this could include evaluation of whether key relevant regulatory requirements have been considered and assessed as part of the SLAs agreed, so that cloud computing platforms will not invalidate or breach compliance requirements.
Vulnerability assessments: the ability perform Vulnerability testing against cloud services is recommended where possible as the cloud is an extension of an organization’s enterprise. Cloud providers normally prevent customers requesting this, thought the large size of customer and contract, the more likely requests could be met ( Mcdonough D., 2015).
Computing applications can be outsourced to external service providers; there are always risks when relying on an external vendor in handling a company’s own critical applications, notwithstanding the high cost of such an endeavor. Important applications of a business, including database storage and processing of business events relating to a company’s basic revenue, expenditure, and production processes, should be protected by adequate controls and policies that govern data storage, dissemination, and processing. Because these policies and controls define a company’s internal control environment, which has an impact on the reliability of reporting in annual reports or other statements, audit standards require external financial statement auditors to perform a review and assessment of such controls that a company adopts. For these reasons, decisions that relate to the adoption and use of underlying technologies that dictate a company’s data storage, processing, and data sharing policies place significant constraints on the planning, execution, and skill set required to properly canny out an external financial statement audit or other types of special audit engagements. With modern technologies becoming more widespread but at the same time more complex, it is thus important for auditors to understand not only the nature and potential benefits of new technologies but also the risks they present and the impact they may have on the performance of the audit. (Nicolaou, C. A., et al.,2012)
Following are the possible threats and challenges while choosing cloud computing as an option over traditional data center or server room based option.
Technical Issues ‘ Due to some serious malfunction/dysfunction could lead to denial of access to information and data from the cloud anytime and anywhere at all. The fact is that the technology is always prone to outages and other technical issues. Even the cloud service providers (CSPs) run into trouble, in spite of maintaining high standards of maintenance. Besides this, consumer needs a very good Internet connection (broadband link) to be logged onto the server at all times. A consumer might invariably stick in the case of network and connectivity problems.( Kelkar S.,2015).
Hosting (location of data centers) ‘ The resellers, distributors often offer best plans and consumers buy them without thinking of backend cloud data center location. In case of downtime resellers, distributors do not give rational / reason behind the downtime of service to consumers. Many time physical collocation of data center information was not passed by CSPs to next level, which leads to denial of service to the customer. Since the data lies on the CSPs infrastructure, consumers get worried and do not get the clear idea of uptime of the service. In such cases, SLAs would be useless. In some cases pretending as CSPs, might have outsourced data centers to some other party.( Kelkar S.,2015).
Security in the Cloud ‘ The data/information is being accessed from the internet the major issue is security. Before adopting cloud technology, consumers should know that it might be surrendering all organization information to a third-party i.e. cloud service provider (CSPs), this could be a great risk. Hence, consumer of cloud needs to make absolutely sure that it chooses the most reliable service provider, who will keep your information totally secure. The service level agreement (SLA) with a non-disclosure agreement (NDA) could be signed by both CSPs and the consumer organization. The data security can be achieved by implementation of encryption techniques, SSL / TLS in data communication, Data Access List, Web application security by Firewall (Kelkar S.,2015).
Prone to Attack ‘ storing information in the cloud could make your organization vulnerable to external hack attacks and threats. As nothing on the Internet is completely secure and hence, there is always the possibility of stealth of sensitive data (Kelkar S.,2015).
Prone to copy ‘ There could be possibility of internal staff might copy data, if enough security perimeter and audit mechanism is not installed at CSPs end (Kelkar S.,2015).
Security and Privacy ‘ Cloud computing is different from the traditional computing model, it utilizes the virtual computing technology. Where the user data may be scattered in the various virtual data center rather than stay in the same physical location. Even sometimes across the national borders, at this time, data privacy protection will face the controversy of different legal systems. Attackers might get a chance to analyze the critical task depend on the computing task submitted by the users (Arora P., Chaudhry R. W., Satinder E. P. A,2012).
Reliability ‘ Servers farm in the cloud have the same problems such as your own resident servers. The cloud servers pool also experience downtimes and slowdowns, what the difference is that users have a higher dependent on cloud service provider (CSP) in the model of cloud computing. There is a big difference in the CSP’s service model, once you select a particular CSP, you may be locked-in, thus bring a potential business secure risk (Arora P., Chaudhry R. W., Satinder E. P. A,2012)
Lack of Standards ‘ Clouds have documented interfaces (APIs); however, no standards are associated with these APIs, and thus it is unlikely that most clouds will be interoperable. The Open Grid Forum is developing an Open Cloud Computing Interface to resolve this issue and the Open Cloud Consortium (OCC) is working on cloud computing standards and practices. The findings of these groups will need to mature, but it is not known whether they will address the needs of the people deploying the services and the specific interfaces these services need. However, keeping up to date on the latest standards as they evolve will allow them to be leveraged, if applicable (Dialogic,2010).
Continuously Evolving ‘ User requirements changes as per business demand and also requirements for interfaces, networking, and storage. This means a ‘cloud has to evolve and not to remain static.( Kelkar S.,2015).
Compliance ‘ various countries have regulations towards the storage and use of data on the cloud. Consumer organization requires reporting and audit trails, which cloud service providers (CSP) must enable them to comply with these regulations. Also, the data centers maintained by cloud service providers (CSP) are also subject to compliance towards the regulations.( Kelkar S.,2015).
2.14 Auditors skills towards cloud computing problem
The human element is one of the most important elements that can be invested to achieve success in any project and in any institution and is very important in the cloud computing where he/she is a founding element, he/she is discovered, developed to achieve the objectives of cloud computing and is managed by.
Technical requirements Is to provide a good education for external auditors through accredited courses for university students and employees of audit offices, so that they are ready to pursue and participate in the labor market and absorb the maximum of information at the same time in addition to the provision of appropriate digital technology equipment and computers and systems and Prepares data and provides e-mail services.
President of Oracle announced the provision of programs to support entrepreneurs and small companies in the field of cloud computing. He said that the center specialized in the development of human resources, supports the provision of training and rehabilitation, pointing out that the local market is growing significantly in terms of the number of graduates annually in the field of engineering and information technology and computers.
Oracle has more than 1,500 Middle East customers in cloud computing and has around 19 cloud computing centers around the world (http://www.alborsanews.com/ , 2017).
External IT Audit Experience It is often difficult to find someone from an external audit firm that really understands the technology he /she is reviewing. these are generalities and there are some extremely talented and technical auditors working at external audit firms. The key is to vet this out during the interview process (Davis C. et al., 2011).
Auditors’ background, Independence, Relationships and Threats
‘ Types of Audits
‘ Types of Auditors and their duties , functions and relationships
‘ Audit process
‘ Audit report
‘ Audit evidence and documentation
‘ Audit planning and assess audit risk
‘ Auditing cloud computing framework
‘ Legal concerns and regulatory compliance
‘ Determine whether appropriate governance process are in place over the engagement of new cloud services by you company’s employees
‘ Review and evaluate your company’s processes for monitoring the quality of outsourcing operations
3. Chapter three: Auditors’ background, Independence, Relationships and Threats
The word ‘audit’ comes from the Latin word audire, meaning ‘to hear’. According to (Flint.D,1988), an audit is a social phenomenon which serves no purpose or value except its practical usefulness and its existence is wholly utilitarian. (Flint.D, 1988) further, explains, the audit function has evolved in response to a perceived need for individuals or groups in society who seek information or reassurance about the conduct or performance of others in which they have an acknowledged and legitimate interest. (Flint.D ,1998) argues that audit exists because interested individuals or groups are unable for one or more reasons to obtain for themselves the information or reassurance they require. Hence, an audit function can be observed as a means of social control because it serves as a mechanism to monitor conduct and performance and to secure or enforce accountability. Mackenzie (as cited in Normanton, E. L., 1996) in the foreword to The Accountability and Audit of Governments made the following remark: ‘Without the audit, no control; and if there is no control, where is the seat of power?’ All in all, an audit function plays a critical role in maintaining the welfare and stability of the society.
The aim of an audit has always been a dynamic rather than a static one. (Brown, R.1962) asserts that the objective and techniques of auditing have changed during the four hundred years of recognizable existence of auditing to suit the changing needs and expectations of society. It can be observed that the changes in needs and expectations of society are highly influenced by the factors contextual to the economic, political and sociological environment at a particular point in time. Therefore, the review of the historical development of auditing enables one to understand, analyze and interpret the evolution of auditing due to the change in expectations of the society.
To do an audit, there must be information in a verifiable form and some standards (criteria) by which the auditor can evaluate the information. Information can and does take many forms. Auditors routinely perform audits of quantifiable information, including companies’ financial statements and individuals’ income tax returns.
Auditors also audit more subjective information, such as the effectiveness of computer systems and the efficiency of manufacturing operations.
The criteria for evaluating information also vary depending on the information being audited. In the audit of historical financial statements by CPA firms, the criteria may be U.S. generally accepted accounting principles (GAAP) or International Financial Reporting Standards (IFRS).
For the audit of tax returns by the Internal Revenue Service (IRS), the criteria are found in the Internal Revenue Code. In an IRS audit of Boeing’s corporate tax return, the internal revenue agent uses the Internal Revenue Code as the criteria for correctness, rather than GAAP.
For more subjective information, it is more difficult to establish criteria. Typically, auditors and the entities being audited agree on the criteria well before the audit starts.
3.2 Types of Audits
CPA’s perform three primary types of audits as operational audits, compliance audits, and audits of financial statements (Arens et al, 2012, P.12-13).
3.2.1 Operational Audit
Operation audit evaluates the efficiency and effectiveness of any part of an organization’s operating procedure and methods. At the completion of an operational audit, management normally expects the recommendation for improving operations. In operational auditing, the reviews are not limited to accounting. They can include the evaluation of organizational structure, computer, operations, production methods, marketing, and any other area in which the auditor is qualified (Arens et al, 2012).
3.2.2 Compliance Audits
A compliance audit is conducted to determine whether the auditor’s is following a specific procedure, rules, or regulation set by some higher authority.
Results of compliance audits are typically reported to management, rather than outside users because management is the primary group concerned with the extent of compliance with prescribed procedures and regulations. Therefore, a significant portion of work of this type is often done by auditors employed by the organizational units. When an organization such as the Internal Revenue Service (IRS) wants to determine whether individuals or organization issuing the requirements, the auditor is employed by the organization issuing the requirement (Arens et al, 2012).
3.2.3 Audits of Financial Statements
A financial statement audit is the examination of an entity’s financial statements and accompanying disclosures by an independent auditor. The result of this examination is a report by the auditor, attesting to the fairness of presentation of the financial statements and related disclosures. The auditor’s report must accompany the financial statements when they are issued to the intended recipients.
3.3 Types of Auditors and Their Duties, Functions, and Relationships
There are two types of audit functions that exist today. They have very important roles in assuring the validity and integrity of financial accounting and reporting systems. They are the internal and external audit functions.
3.3.1 The Internal Audit Function
The internal audit function is a control function within a company or organization. The primary purpose of the internal audit function is to assure that management authorized controls are being applied effectively. The mission, character, and strength of an internal audit function vary widely within the style of top executives and traditions of companies and organizations. IT audits is one of the newer, emerging areas of support for internal audit. The internal audit group, if appropriately staffed with the resources, performs the monitoring and testing of IT activities within the control of the organization. Of particular concern to private corporations is the processing of data and the generation of information of financial relevance or materiality. The IA department reports directly to the president or board of directors. An IA must be independent of the department heads and other executives whose work he reviews. IA, however, can never be independent in the same sense as the independent auditors because they are employees of the company they are examining.
3.3.2 The External Auditor
The external auditor evaluates the reliability and the validity of systems controls in all forms. The principal objective of their evaluation is to minimize the amount of substantial auditing or testing of transactions required to render an opinion on a financial statement. External auditors are provided by public accounting firms and also exist in government as well. They can examine the work of both federal and private organizations.
3.3.3The relationship between the external and internal auditors
The coordination of internal audit activity with external audit activity is very important from both points of view: from external audit’s point of view is important because, in this way, external auditors have the possibility to raise the efficiency of financial statements audit; the relevancy from internal audit’s point of view is assured by the fact that this coordination assures for the internal audit a plus of essential information in the assessment of risks control (Dobro”eanu, L. and Dobro”eanu C.L., 2002).
The important of the relationship from internal audit and external audit is reflected also by International Standards of Audit ( 610- considering the work of internal audit ) which foresees, among others :
Both the internal and external auditors play an important role in ensuring such a process, where the internal auditor works within the company ensuring the effectiveness and efficiency within the firm and the external auditors works as the independent assessor for the competence and reliance of the financial data of the firm (Pop, A., et al .,2008).
The external auditor should obtain a sufficient understanding of internal audit activities to identify and assess the risks of material misstatement of the financial statements and to design and perform further audit procedures.
The external auditor should perform an assessment of the internal audit function when internal auditing is relevant to the external auditor’s risk assessments.
3.3.4 Similarities and differences between internal audit and external audit
The researcher will present the main similarities that could be identified between internal and external audit:
Both internal audit and external audit profession are governed by one set of international standards issued by the professional organism-specific for each profession. This set of international standards includes the professional standards and the ethical code.
Risk is a very important element the planning process for both internal and external auditors.
For both professions, the independence of the auditor is very important.
Internal and external audit are both concerned over the internal control system of the organization.
Both functions are interested in the cooperation between internal and external auditors.
For both functions, the results of their activity are presented through audit reports. (Pop, A., et al .,2008)
Next the researcher will try to underline the main differences between internal and external audit functions:
Table 1. Different between internal and external audit functions ” Source: (Pop, A. et al. ,2008)
No. Criterions Internal Audit External audit
1 Position inside the organization The internal auditors’ are part of the organization. Their objectives are determined by professional standards, the board, and management. Their primary clients are management and the board. External auditors are not part of the organization but are engaged by it. Their objectives are set primarily by statute and their primary client – the board of directors.
2 Objectives The internal auditor’s scope of work is comprehensive. It serves the organization by helping it accomplish its objectives, and improving operations, risk management, internal controls, and governance processes. Concerned with all aspects of the organization – both financial and nonfinancial – the internal auditors focus on future events as a result of their continuous review and evaluation of controls and processes. The primary mission of the external auditors is to provide an independent opinion on the organization’s financial statements, annually.
3 Independence Internal audit must be independent from the audited activities. External audit is independent from its client, the organization, its independence being specific to liberal professions.
4 Approach of internal control Internal audit regards all the aspects regarding the organization’s internal control system. External audit regards the internal control system only from the materiality perspective, which permits them to eliminate those errors that aren’t significant, because they don’t have influences over the financial results.
5 Applying of the audit Internal audit covers all the organization’ transactions. External audit covers only those operations that have a contribution at the financial results and the performances of the organization.
6 Frequency of the audit Internal audit performs during the entire year, having specific missions established in according with the level of risks identified for each auditable entity. External audit is an activity with a yearly frequency, as a rule, at the end of the year.
7 Approach of risk The importance of risk for the planning of internal audit activity is very high, the assessment of risk being combined with other types of information like financial and operational. External audit uses the information of risks for the determination of nature, period of time and necessary audit procedures that should be performed in the auditable area, taking into consideration only financial aspects.
8 Consideration of risk factors Internal audit takes into consideration at least next risk factors: (Colbert, J.L., 1995): – Ethical climate and pressure on management to meet objectives;
– Competency, adequacy, and integrity of personnel;
– Asset size, liquidity, or transaction volume;
– Financial and economic conditions;
– Competitive conditions;
– Impact of customers, suppliers, and government regulations;
– Date and result of previous audits;
-Degree of computerization;
– Geographic dispersion of operations;
-Adequacy and effectiveness of the system of internal control;
– Organizational, operational, technological, or economic changes;
– Management judgments and accounting estimates;
– Acceptance of audit findings and corrective action taken; External audit takes into consideration next risk factors: (Colbert, J.L., 1995): – Management operating and financial decisions are dominated by a single person;
– Management’s attitude toward financial reporting is unduly aggressive;
– Management, particularly senior accounting personnel, turnover is high;
– Management places undue emphasis on meeting earnings projections;
– Management’s reputation in the business community is poor;
-Profitability of entity relative to its industry is inadequate or inconsistent;
– Sensitivity of operating results to economic factors is high;
– Rate of change in entity’s industry is rapid;
– Entity’s industry is declining with many business failures;
– Organization is decentralized without adequate monitoring;
– Internal or external matter raises substantial doubt about the entity’s ability to continue as a going concern;
– Contentious or difficult accounting issues are prevalent;
– There are significant and unusual related party transactions not in the ordinary course business;
– Nature, cause (if known), or amount of known and likely misstatements detected in the audit of prior period’s financial statements is significant;
– The Client is new with no prior audit history or sufficient information is not available from the predecessor auditor.
9 Approach of fraud Internal audit is concerned about the frauds from all activities from the organization. External audit is concerned only about the fraud from financial areas.
3.4 Auditing process
The audit is essentially an assurance function that some standard, method, or practice is followed. Depending on the type of audit, the auditor systematically examines the evidence for compliance to established criteria. The best practice in effective IT auditing is to start with an understanding of business functions, to identify which IT infrastructure is providing those functions, and to then consider the scope of the audit and controls best suited for that IT function. The same holds true for IT infrastructure and services provided by the cloud. In fact, most cloud providers are using IT systems models similar to those of their clients. These include: securing workstation (access) and server devices, core services (such as identity and authorization), and monitoring and logging functions. Therefore, many of the same controls and control frameworks (like COBIT or NIST) typically used for systems audits are also usable for auditing systems that are hosted or provided by cloud vendors.
But as businesses move into cloud environments, certain changes occur that auditors must recognize as the move changes the scope of the audit and introduces new risk to systems. Cloud architectures are different from systems hosted by traditional infrastructure and auditors should pay close attention Most auditors will find that audit of cloud infrastructure should be similar to an audit of localized internal infrastructure but will have some uniquely important control areas: those that control access, authorization, and trusted control frameworks. The auditor must consider the business function that is being supported by the IT services or system that is being moved into the cloud. Questions about communications latency, data breach notification, and international laws (where the provider infrastructure moves data between international data centers) are all new potential issues for the cloud-hosted system. Auditors should study cloud solutions carefully since effective audits, including appropriate scope and controls, will be unique to each system. Audit in the cloud does have similar issues to standard infrastructure auditing that should be considered’such as clearly addressing conflict of interest and independence of the auditor, professional auditing practices and adequate technical training and proficiency of the auditor, and audit reports that clearly assert findings and qualified opinions-based evidence and documentation. The audit will be different for the cloud depending on the deployment model of cloud outsourcing (private, public, community, or hybrid) and service model Software as a Service [SaaS], Infrastructure as a Service [IaaS], Platform as a Service [PaaS]. The essential differences will be most evident in the public and hybrid types of clouds’as these will rely most heavily on contracts and (possibly complex) agreements and compliance to those agreements. And because the use of the cloud implies the use of the Internet and ”extension” of the corporate network, all cloud models vary in features and controls that must be considered while planning and executing an audit (Ben Halpert, 2011).
A typical audit has several interrelated stages or activities as follow
3.4.1′ Research and Information Gathering
This process includes interviews with staff and requests for documents and data. The purpose is to help them better define where auditors may or may not assign audit resources. This advance process results in a better-focused audit effort and allows them to determine if the value will likely be added from doing the audit. ( Thomas P. DiNapoli,2016).
3.4.2 ‘ Entrance Conference
An entrance conference establishes a climate of cooperation, informs local government officials and other top management about the audit process and offers officials the opportunity for input. ( Thomas P. DiNapoli,2016).
3.4.3 ‘ Preliminary Audit Survey
The audit team conducts a survey of organizational and operational information before the major audit effort begins. The objective is to develop a complete understanding of the organization and the areas that will be audited. ( Thomas P. DiNapoli,2016).
3.4.4” Fieldwork Phase
This phase consists of the focused audit effort and usually comprises the single largest amount of time. The examiner in charge (EIC) supervises the day-to-day activities of the on-site audit team to ensure quality audit work is completed within predetermined time frames. ( Thomas P. DiNapoli,2016).
3.4.5” Preliminary Audit Findings
After completing the fieldwork phase for each audit segment, the EIC or other audit staff will discuss the findings and conclusions with involved local government management. ( Thomas P. DiNapoli,2016).
3.4.6” Exit Conference
At the completion of fieldwork, they will send a draft copy of written findings and recommendations, and instructions for responding to audit to each member of the governing board, the chief executive officer, and any other appropriate local officials. Audit team members will schedule an exit conference with appropriate local government management to discuss these findings and recommendations. The exit conference provides local officials the opportunity to clarify issues that are to be included in the final audit report.( Thomas P. DiNapoli,2016).
3.5 Audit Report
The audit report is the final step in the entire audit process. The auditor must gather a sufficient and competent evidence to justify his opinion on the financial statements.
3.5.1 Reporting Standards
The four reporting standards require the auditor to prepare a report on the financial statement taken as a whole, including information disclosures. The reporting standards require:
The report shall state whether the financial statements are prepared in accordance with GAAP.
The report shall identify those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period.
Informative disclosures in the financial statements are to be regarded as reasonably adequate unless otherwise stated in the report.
The report shall show the auditor’s opinion on the financial statements, taken as a whole, or an assertion to the effect that the opinion cannot be expressed, and then the reasons must be stated.
In all cases where the auditor’s name is associated with the financial statements, the report should contain a clear-cut indication of the character of the auditor’s work and the degree of responsibility he is being.
3.5.2 Auditor’s Standard Report
It is important to note that auditor’s reports on financial statements are neither evaluations nor any other similar determination used to evaluate entities in order to make a decision. The report is only an opinion on whether the information presented is correct and free from material misstatements, whereas all other determinations are left for the user to decide. Because of its importance in a financial statement audit, a basic understanding of the form and content of the standard report is essential. The standard report consists of three paragraphs and prescribed languages. The three paragraphs are referred to as the introductory, scope, and opinion paragraphs, respectively.
3.5.3 Types of Audit Report
There are four categories of audit reports as follows:
1.Standard unqualified audit report: Often called a clean opinion, an unqualified audit report is issued when an auditor determines that each of the financial records provided by the business is free of any misrepresentations. In addition, an unqualified opinion indicates that the financial records have been maintained in accordance with the standards known as Generally Accepted Accounting Principles (GAAP). This is the best type of report a business can receive.
2.Unqualified audit report with explanatory paragraph or modified wording: meets the criteria of a complete audit of satisfactory results and financial statements that are fairly presented, but the auditor believes it is important or is required to provide additional information. In a qualified, adverse, or disclaimer report, the auditor either has not performed a satisfactory audit, is not satisfied that the financial statements are fairly presented, or is not independent. This type of modified wording report is also called shared opinion or report. A shared unqualified report is appropriate when it is impractical to review the work of the other auditor or when the portion of the financial statements audited by the other CPA is material in relation to the whole (Arens, 2012).
3.Qualified Opinion: where the auditor disagrees with or is uncertain about one or more particular items in the financial statements which are material but not fundamental to an understanding of the statements, a qualified opinion should be given (Annual report of KPMG 2011 ).
4.Adverse or Disclaimer Opinion:
A. Adverse Opinion: The auditor issues an adverse opinion if he or she believes that the Financial statements are misleading or materially misstated to the point where they do not fairly represent the financial position or results of the company operations. An adverse opinion can be issued only when the auditor has knowledge of the absence of conformity. It is used only when the departure from GAAP is extremely material. Because this uncommon, the adverse opinion is frequently not used.
B. Disclaimer Opinion: On some occasions, an auditor is unable to complete an accurate audit report. This may occur for a variety of reasons, such as an absence of appropriate financial records. When this happens, the auditor issues a disclaimer of opinion, stating that an opinion of the firm’s financial status could not be determined.
Figure No.1 Four Categories of Audit Reports
Source: (Arens, 2012, P.49)
3.5.4 SAS 70 on Reports
When auditing vendors, you need to understand SAS (Statement on Auditing Standards) 70 reports. SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to deal with service organizations. It essentially provides a standard by which service organizations (such as those that provide IT services) can demonstrate the effectiveness of their internal controls without having to allow each of their customers to come in and perform their own audit. Without this standard, service organizations would expend a prohibitive volume of resources responding to audit requests from each customer. With this standard, service organizations can hire a certified independent service auditor (such as Ernst & Young) to perform an SAS 70 audit and issue a report.
This report can, in turn, be presented to any customers requiring evidence of the effectiveness of the service organization’s internal controls. SAS 70 reports have become particularly important since the implementation of Section 404 of the Sarbanes-Oxley Act in 2002, as companies can use them as evidence of the effectiveness of internal controls over many aspects of financial processing and reporting that have been outsourced. Without them, any company providing financial services would be bombarded with Sarbanes-Oxley audits from all of their customers, as opposed to being able to hand each customer the same SAS 70 report. SAS 70 service auditor reports are of two types: Type 1 and Type 2. Both types include a description of and an opinion on the design of the service organization’s internal controls at a point in time.
However, only a Type 2 report contains the results of testing by the service auditor regarding whether the controls were operating effectively during the period under review to provide assurance that the control objectives were achieved. As an auditor, you will want your service providers to provide a Type 2 report, as Type 1 reports do not provide evidence that the controls are operating effectively. For Sarbanes-Oxley purposes, it is also recommended that you influence your vendors to have their SAS 70 Type 2 audits performed with an end date of the examination period that falls within three months of the end of your fiscal year. Type 2 examinations are usually performed with an examination period of six to twelve months. So if the review period ends 6/30 and your fiscal year ends 12/31, the results will be six months’ old by the time you use it for your certification. This is not ideal, but Sarbanes-Oxley guidance does provide directions for how to deal with it, so the report still has value (Davis C., et al.,2011).
3.6 Audit Evidence & Documentation
3.6.1 Audit Evidence
Evidence is defined as: any information used by the auditor to determine whether the information being audited is stated in accordance with the established criteria. The information varies greatly in the extent to which it includes information that is highly persuasive, such as the auditor’s count of marketable securities, and less persuasive information, such as responses to questions of client employees (Arens, 2012).
3.6.2 Audit Evidence Decisions
A major decision facing every auditor is determining the appropriate types and amounts of evidence needed to be satisfied that the client’s financial statements are fairly stated. There are four decisions about what evidence to gather and how much of it to accumulate:
1. Which audit procedures to use?
2. What sample size to select for a given procedure?
3. Which items to select from the population?
4. When to perform the procedures?
An Audit Procedure is the detailed instruction that explains the audit evidence to be obtained during the audit. It is common to spell out these procedures insufficiently specific terms so an auditor may follow these instructions during the audit. The list of audit procedures for an audit area or an entire audit is called an Audit Program. The audit program always includes a list of the audit procedures, and it usually includes sample sizes, items to select, and the timing of the tests. Many auditors use electronic audit software packages to generate audit programs. These software programs help the auditor address risks and other audit planning considerations and select appropriate audit procedures (Arens, 2012).
3.6.3 Types of Audit Evidence
In deciding which audit procedures to use, the auditor can choose from eight broad categories of evidence, which are called types of evidence. Every audit procedure obtains one or more of the following
Physical examination: Is the inspection or count by the auditor of a tangible asset. This type of evidence is most often associated with inventory and cash, but it is also applicable to the verification of securities, notes receivable, and tangible fixed assets. There is a distinction in auditing between the physical examination of assets, such as marketable securities and cash, and the examination of documents, such as canceled checks and sales documents. If the object being examined, such as a sales invoice, has no inherent value, the evidence is called documentation (Arens, 2012).
Confirmation: Audit evidence that is from an external independent source is more credible than evidence from an internal source. Most financial auditors confirm balances (e.g., creditor’s balances and debtor’s balances) by sending out confirmation letters to external independent sources such as banks and vendors. However, in the majority of IT audits, audit evidence is derived from the system configurations. Configurations obtained by an auditor through observation of the system or via a reliable audit software tool are more reliable than data received from the auditee (Kamau O.,2012).
Documentation: Is the auditor’s inspection of the client’s documents and records to substantiate the information that is, or should be, included in the financial statements. The documents examined by the auditor are the records used by the client to provide information for conducting its business in an organized manner and may be in paper form, electronic form, or other media. Because each transaction in the client’s organization is normally supported by at least one document, a large volume of this type of evidence is usually available. Documentation is widely used as evidence in audits because it is usually readily available at a relatively low cost. Sometimes, it is the only reasonable type of evidence available. (Arens, 2012).
Analytical procedures: consist of comparing items, for example, current year financial information with prior year financial information and analyzing predictable relationships such as the relationship of trade receivables with revenue. It can also be used to help identify any unusual trends or characteristics within the financial statements. What determines whether audit evidence is sufficient and appropriate will depend on a number of factors, such as:
The risk assessment.
The nature of the accounting and internal control systems.
The auditor’s experience of previous audits including the auditor’s knowledge of the business and the environment in which it operates.
The results of audit procedures.
The source and reliability of the information available (Radu.F and Ramona.F, 2011).
Inquiries of the client: involves seeking information from knowledgeable persons inside or outside the entity. Confirmation is the name given to a specific form of inquiry that is particularly widely used. It involves obtaining written confirmation from a third party, typically, although not exclusively, in relation to an account balance in which the third party has an interest. (Radu.F and Ramona.F, 2011).
Recalculation: involves checking the arithmetic accuracy of client’s records (Collings Steve, ISA 500 ‘ Audit evidence, http://www.accountancystudents.co.uk.) . Auditors commonly recalculate a company’s accounting reports or documents as part of the audit process. These procedures apply to financial statements, reconciliations, cost reports and other documents.
Auditors use these technical procedures to ensure a company is accurately applying basic accounting principles to its financial transactions. Conducting these recalculations independently also allows auditors to review information in individual financial accounts to ensure these items are correctly entered into the accounting ledger. (Radu.F and Ramona.F, 2011).
Re-performance: Re-performance is the auditor’s independent tests of client accounting procedures or controls that were originally done as part of the entity’s accounting and internal control system. Whereas recalculation involves rechecking a computation, re-performance involves checking other procedures. Another type of re-performance is for the auditor to recheck transfers of information by tracking information included in more than one place to verify that it is recorded at the same amount each time. ( Arens,2012).
Observation: It is suggested that observation should be carried out by two auditors. This is to corroborate what the auditor observed and to avoid instances in which management refutes the findings of the observation. In addition, observation is key in establishing segregation of duties. When auditing, where possible, the auditor should spend some time with the auditees. This will afford the auditor the opportunity to see exactly what is happening, not what should happen (Kamau O.,2012).
Figure No. 2 Shows the relationships among auditing standards, types of evidence, and the four evidence decisions. Auditing standards provide general guidance in three categories, including evidence accumulation. The types of evidence are broad categories of the evidence that can be accumulated. Audit procedures include the four evidence decisions and provide specific instructions for the accumulation of evidence.
Figure No.2 Relationships among auditing standards, Types of evidence, and the four audit evidence decisions
Source: (Arens, 2012, P.180)
...(download the rest of the essay above)